Oh and before I forget, I must spend wayyyyy to much time on here
[QUOTE=GrumbleDook;881523]@Roberto and @CyberNerd
I am asking these questions to try to pin point some stuff to take into a discussion on another forum (ok ... LinkedIn) looking at the legal aspect of BYOD. The discussion is a tad lengthy at the moment around Risk Assessment and Competent Person ... so I am trying to gather a few more examples of why and how schools have made certain decisions and who in those schools have made them. Some responses when the Qs have been asked elsewhere have indeed been all about the shiny and hype, and it is good to see the quick response from @CyberNerd.
Is that forum open to anyone Grumbledook?
what OS version you on - can't remember when, but I needed to upgrade OS to get this to work. I'm currently on 18.104.22.168.
I created an LDAP server on the Aruba config (see below)
On the LDAP server (2008R2) under Network Policy Server I created a policy to allow a specific AD Group combined with a NAS port type (Wirless IEEE 802) to allow only permitted users to logon.
We actually have a 3400 controller here after I checked.
Also on firmware 22.214.171.124 due to us using old 61 AP's
Thanks though, good to know it is possible in the future.
I would be interested what people are using for network access control and making sure devices are complying with AV and update policies.
At the time I couldn't afford one - looked seriously at Network Sentry 500VM Network Control and Application Server, but best part of 20k + ongoing so opted not to bother at the moment. Completely vlan'd off, devices unable to communicate with other devices, Ericom web connect solution used to allow any device to connect to a rdp session via a browser using html 5, so not overly concerned about updates and av at the moment.
forgot to say just about to trial aruba clearpass - will update post after trial.
NAC - the other way might just be to upgrade dhcp server to 2012 which allows you to filter ip's based on MAC for a specific vlan.
Just to update this I think we are finally getting to a good solution.
I tried implementing a transparent proxy but it slowed things down too much for normal users as they were filtered twice.
So what we have done is order a new Talk Talk line with IP based filtering, they call it "homesafe". I now have the aruba guest wireless using that as a gateway to a seperate talk talk internet line. It works quite well and seperates the guest users from the main network over a VLAN.
Basically I have built an entire 2nd network for this but hopefully it works in the real world.
Time to find out.... :playball:
Project is complete!!
Guest network SSID [complete]
Captive Portal [complete]
Acceptable usage policies [complete]
Portal branding [still to do]
New internet line installed and activated [complete]
Route VLAN to the new gateway and internet line [complete]
Set IP based filtering (thankyou talk talk for being innovative in this area) [complete]
So when I try to access a naughty site we now get this
And can manage it all on-line without any extra hardware like this:
So basically we are nearly there. The only question is do we create the users manually or link them to the active directory.
Thanks for the update @zag. How does talk talk system deal with monitoring? If a pupil hits a block, is it recorded, flagged?
But as its a "guest network" is totally out of my hands what they look at. I explained this to SMT as the biggest downside but they insisted it was still a good idea.
Schools dilemma on BYO technology
I wonder how to get hold of the original Dell report?